Deserialization Vulnerability in LabOne Q Framework by Zurich Instruments
CVE-2026-7584

8.4HIGH

Key Information:

Vendor: Zurich Instruments
Status: Labone Q
Vendor: CVE Published:; 1 May 2026

🔔 Create Zurich Instruments Vulnerability Alert

What is CVE-2026-7584?

The LabOne Q serialization framework contains a vulnerability in its deserialization mechanism, which allows an attacker to exploit arbitrary class-loading via unserialized data. Because the framework permits the import and instantiation of Python classes without adequate validation, a crafted serialized file could lead to arbitrary code execution. This risk arises particularly when malicious files are inadvertently loaded by users in collaboration environments or during technical support sessions.

Affected Version(s)

LabOne Q 2.41.0 < 26.1.2

LabOne Q 26.4.0b1 <= 26.4.0b5

References

https://www.zhinst.com/support/security/2026/zi-sa-2026-002/

vendor-advisory

CVSS V4

Score:

8.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 1, 2026
Vulnerability Reserved
May 1, 2026

CVE-2026-7584 Data

JSON